DeFi Protocol Indexed Finance Suffers $16M Exploit 

A hacker has managed to exploit the protocol’s smart contracts. 

Key Takeaways

A hacker has drained over $16 million from index pools on Indexed Finance.

The exploit worked by tricking the algorithm governing the pools into calculating the pool’s value much lower than it should have been.

Despite two independent security experts reviewing the protocol’s smart contracts, the vulnerabilities were not discovered.

Indexed Finance has lost over $16 million worth of users’ assets after a hacker exploited a vulnerability in the protocol’s smart contracts.  

Indexed Finance Exploited

A hacker has found a way to game Indexed Finance’s smart contracts. 

The exploit, which took place Thursday evening, saw a hacker drain over $16 million worth of assets from two Indexed Finance indices. 

The hacker took funds from the DEFI5 and CC10 pools by attacking the smart contract code governing how the pools calculate the value of deposited assets. By pumping flash-loaned assets into the pools in exchange for UNI tokens, the hacker managed to trick the algorithm into calculating the pool’s value much lower than it should have been. 

This allowed the hacker to mint huge quantities of the pool’s index tokens which were then burned to claim the underlying assets. After the hacker paid off the initial flash loans, they managed to escape with $11 million worth of assets from the DEFI5 pool and a further $5 million from the CC10 pool. 

Following the exploit, the Indexed Finance team quickly assessed the situation and put out a post-mortem, breaking down how the exploit happened and apologizing to the community. Additionally, the protocol’s developers have already suggested a way to stop the exploit from happening again, commenting:

“We will modify the controller smart contracts to remove the approximate value function and replace it with one that takes the combined value of the balances held by a pool in every token it owns.”

It is important to note that two independent security experts audited the Indexed Finance smart contracts before the protocol deployed them. Both Daniel Luca, a former auditor for Consensys diligence, and Mudit Gupta, current core developer for Sushi, reviewed the contracts but could not spot the vulnerabilities. 

Index Finance is a DeFi protocol that allows users to invest in various cryptocurrency-based indexes. Each index pool allows users to freely trade between the index token and the underlying assets, a feature that the hacker managed to exploit. 

The Indexed Finance team has yet to announce a plan to compensate users for their lost assets, stating that they will have a proposal ready soon. 

Indexed finance joins a long list of DeFi protocols to suffer exploits this year. While some hacks, such as the $600 million Poly Network exploit, resulted in the hacker eventually returning the stolen funds, many cannot recover their assets. Judging by the complexity of the Indexed Finance exploit, it seems unlikely that the hacker will return the funds this time. 

Disclaimer: At the time of writing this feature, the author owned BTC, ETH, and several other cryptocurrencies. 

Disclaimer Read More Read Less

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Source: cryptobriefing.com